<html><head><meta http-equiv="Content-Type" content="text/html charset=utf-8"></head><body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space; ">Rescued from the Spam bucket. Please remember to register to the mailing list before posting to it.<br><div><br><div><div style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px;"><span style="font-family:'Helvetica'; font-size:medium; color:rgba(127, 127, 127, 1.0);"><b>From: </b></span><span style="font-family:'Helvetica'; font-size:medium;">"Walter Robert Ditzler" <<a href="mailto:ditwal001@gmail.com">ditwal001@gmail.com</a>><br></span></div><div style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px;"><span style="font-family:'Helvetica'; font-size:medium; color:rgba(127, 127, 127, 1.0);"><b>Subject: </b></span><span style="font-family:'Helvetica'; font-size:medium;"><b>problem establishing traffic between 2 networks over openswan/ipsec</b><br></span></div><div style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px;"><span style="font-family:'Helvetica'; font-size:medium; color:rgba(127, 127, 127, 1.0);"><b>Date: </b></span><span style="font-family:'Helvetica'; font-size:medium;">13 January, 2013 8:57:41 AM EST<br></span></div><div style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px;"><span style="font-family:'Helvetica'; font-size:medium; color:rgba(127, 127, 127, 1.0);"><b>To: </b></span><span style="font-family:'Helvetica'; font-size:medium;"><<a href="mailto:users@lists.openswan.org">users@lists.openswan.org</a>><br></span></div><br><br>Hi there,<br><br>I got stuck for weeks now getting a tunnel to work. Now i really need some cracks to help me if possible. What i need is:<br><br>- A tunnel from 10.41.50.0/24 to 10.41.20.0/23<br><br>My network looks as followed:<br><br>***<br>[10.41.50.0/24] <> [10.41.50.1 (Firewall/m0n0) 192.168.0.2] <> [192.168.0.1 (ADSL) 87.xxx.xxx.xxx] <> [62.xxx.xxx.xxx (Firewall/NAT/Squeeze) 10.41.10.1] <> [10.41.10.2 (Openswan/IPSEC/wheezy) 10.41.20.1] <> [10.41.20.0/23]<br>***<br><br>Bellow i send some export of my configuration. I dont know what else to do ☹.<br><br>what i did and what works/doesnt work:<br><br>1) i created the tunnel, i think that should be ok<br>2) the ipsec is ok<br>3) the tunnel inteface is not here (ifconfig)<br>4) ping/traffic doesnt go through<br>5) traffic arrives at the openswan world nic in encapsulated udp packed when i run ping on remote network over tunnel<br><br>thanks a lot out there for help!<br><br>walter.<br><br><br><br>root@srv:/etc# nano /etc/ipsec.conf<br>***<br>version 2.0<br><br>config setup<br> interfaces="%defaultroute"<br> nat_traversal=yes<br> dumpdir=/var/run/pluto/<br> oe=off<br> protostack=netkey<br> uniqueids=yes<br><br>conn block<br> auto=ignore<br>conn private<br> auto=ignore<br>conn clear<br> auto=ignore<br>conn clear-or-private<br> auto=ignore<br><br>conn ABO_CHBSLBS212<br> left=62.xxx.xxx.xxx<br> leftsubnet=10.41.20.0/23<br> leftnexthop=10.41.10.1<br> <a href="mailto:leftid=chbslsa52@abc.net">leftid=chbslsa52@abc.net</a><br> right=87.xxx.xxx.xxx<br> rightsubnet=10.41.50.0/24<br> rightnexthop=10.41.50.1<br> <a href="mailto:rightid=chbslbs212@abc.net">rightid=chbslbs212@abc.net</a><br> auto=start<br> pfs=yes<br> aggrmode=no<br> ike=3des-md5;modp1024<br> phase2=esp<br> phase2alg=3des-md5;modp1024<br> authby=secret<br> #rekey=no<br> #keyingtries=3<br> #dpddelay=3500<br> #dpdtimeout=3500<br> #dpdaction=clear<br> type=tunnel<br><br>conn ABO_MOBILE<br> authby=secret<br> pfs=no<br> rekey=no<br> keyingtries=3<br> dpddelay=30<br> dpdtimeout=60<br> dpdaction=clear<br> compress=yes<br> left=%defaultroute<br> leftprotoport=udp/1701<br> right=%any<br> rightprotoport=udp/0<br> auto=add<br> aggrmode=no<br> ike=3des-md5-modp1024<br> esp=3des-md5<br>***<br><br><br>root@srv:/etc# nano /etc/ipsec.secrets<br>***<br>include /var/lib/openswan/ipsec.secrets.inc<br><br><a href="mailto:chbslsa52@abc.net">chbslsa52@abc.net</a> <a href="mailto:chbslbs212@abc.net">chbslbs212@abc.net</a>: PSK "abc"<br>***<br><br><br>root@srv:/etc# ipsec setup status<br>***<br>IPsec running - pluto pid: 2760<br>pluto pid 2760<br>1 tunnels up<br>some eroutes exist<br>***<br><br><br>root@srv:/etc/abbeoo# ip xfrm state<br>***<br>src 87.xxx.xxx.xxx dst 10.41.10.2<br> proto esp spi 0x5c41132b reqid 16405 mode tunnel<br> replay-window 32 flag af-unspec<br> auth-trunc hmac(md5) 0x0df17831b8c406f14c5454677eb00244 96<br> enc cbc(des3_ede) 0x5a170cc7d8f69bdc254820a8e07cdbd37fefacdaa2e579c2<br> encap type espinudp sport 4500 dport 4500 addr 0.0.0.0<br>src 10.41.10.2 dst 87.xxx.xxx.xxx<br> proto esp spi 0x0eb114bb reqid 16405 mode tunnel<br> replay-window 32 flag af-unspec<br> auth-trunc hmac(md5) 0xf976d837935941437a50fb3fb0cfff6b 96<br> enc cbc(des3_ede) 0x246f00e61bbe1e84146c93b8837f6640d48282e83a3fa060<br> encap type espinudp sport 4500 dport 4500 addr 0.0.0.0<br>***<br><br><br>root@srv:/etc/abbeoo# ip route show<br>***<br>default via 10.41.10.1 dev eth0<br>10.41.10.0/24 dev eth0 proto kernel scope link src 10.41.10.2<br>10.41.20.0/23 dev eth1 proto kernel scope link src 10.41.20.1<br>***<br><br><br>root@srv:/etc/abbeoo# ifconfig<br>***<br>eth0 Link encap:Ethernet HWaddr xx:xx:xx:xx:xx:xx<br> inet addr:10.41.10.2 Bcast:10.41.10.255 Mask:255.255.255.0<br> inet6 addr: xx:xx:xx:xx:xx:xx/64 Scope:Link<br> UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1<br> RX packets:90366 errors:0 dropped:1925 overruns:0 frame:0<br> TX packets:120048 errors:0 dropped:0 overruns:0 carrier:0<br> collisions:0 txqueuelen:1000<br> RX bytes:28586733 (27.2 MiB) TX bytes:49990071 (47.6 MiB)<br> Interrupt:16 Memory:fe9e0000-fea00000<br><br>eth1 Link encap:Ethernet HWaddr xx:xx:xx:xx:xx:xx<br> inet addr:10.41.20.1 Bcast:10.41.21.255 Mask:255.255.254.0<br> inet6 addr: xx:xx:xx:xx:xx:xx/64 Scope:Link<br> UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1<br> RX packets:131170 errors:0 dropped:4 overruns:0 frame:0<br> TX packets:98124 errors:0 dropped:0 overruns:0 carrier:0<br> collisions:0 txqueuelen:1000<br> RX bytes:50952183 (48.5 MiB) TX bytes:30981050 (29.5 MiB)<br> Interrupt:17 Memory:feae0000-feb00000<br><br>lo Link encap:Local Loopback<br> inet addr:127.0.0.1 Mask:255.0.0.0<br> inet6 addr: ::1/128 Scope:Host<br> UP LOOPBACK RUNNING MTU:65536 Metric:1<br> RX packets:348 errors:0 dropped:0 overruns:0 frame:0<br> TX packets:348 errors:0 dropped:0 overruns:0 carrier:0<br> collisions:0 txqueuelen:0<br> RX bytes:38814 (37.9 KiB) TX bytes:38814 (37.9 KiB)<br>***<br><br><br>root@srv:/etc/abbeoo# tcpdump -f udp -i eth0<br>***<br>tcpdump: verbose output suppressed, use -v or -vv for full protocol decode<br>listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes<br>14:25:58.296795 IP 87.xxx.xxx.xxx.4500 > 10.41.10.2.4500: UDP-encap: ESP(spi=0x5c41132b,seq=0x1cb), length 92<br>14:26:03.295872 IP 87.xxx.xxx.xxx.4500 > 10.41.10.2.4500: UDP-encap: ESP(spi=0x5c41132b,seq=0x1cc), length 92<br>14:26:08.297490 IP 87.xxx.xxx.xxx.4500 > 10.41.10.2.4500: UDP-encap: ESP(spi=0x5c41132b,seq=0x1cd), length 92<br>14:26:08.633713 IP 87.xxx.xxx.xxx.4500 > 10.41.10.2.4500: isakmp-nat-keep-alive<br>***<br><br><br>root@srv:/etc/abbeoo# ipsec verify<br>***<br>Checking your system to see if IPsec got installed and started correctly:<br>Version check and ipsec on-path [OK]<br>Linux Openswan U2.6.37-g955aaafb-dirty/K3.7.1.1-abo.srv (netkey)<br>Checking for IPsec support in kernel [OK]<br> SAref kernel support [N/A]<br> NETKEY: Testing XFRM related proc values [OK]<br> [OK]<br> [OK]<br>Checking that pluto is running [OK]<br> Pluto listening for IKE on udp 500 [OK]<br> Pluto listening for NAT-T on udp 4500 [OK]<br>Two or more interfaces found, checking IP forwarding [OK]<br>Checking NAT and MASQUERADEing [OK]<br>Checking for 'ip' command [OK]<br>Checking /bin/sh is not /bin/dash [WARNING]<br>Checking for 'iptables' command [OK]<br>Opportunistic Encryption Support [DISABLED]<br>***<br><br><br><br></div></div><br></body></html>